################################################################################
#
#    Licensed to the Apache Software Foundation (ASF) under one or more
#    contributor license agreements.  See the NOTICE file distributed with
#    this work for additional information regarding copyright ownership.
#    The ASF licenses this file to You under the Apache License, Version 2.0
#    (the "License"); you may not use this file except in compliance with
#    the License.  You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS,
#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#    See the License for the specific language governing permissions and
#    limitations under the License.
#
################################################################################

#
# Generic JMX ACL
#
# This file defines the roles required for MBean operations for MBeans that 
# do not have this defined explicitly.
#
# The definition of ACLs for JMX operations works as follows:
#
# The required roles for JMX operations are defined in configuration files
# read via OSGi ConfigAdmin.
#
# JMX RBAC-related configuration is prefixed with jmx.acl and based on the
# JMX ObjectName that it applies to. For example specific configuration for
# an MBean with the following objectName: foo.bar:type=Test can be placed in
# a configuration file called jmx.acl.foo.bar.Test.cfg. More generic
# configuration can be placed in the domain (e.g. jmx.acl.foo.bar.cfg) or
# at the top level (jmx.acl.cfg). A simple configuration file looks like
# this:
#   test : admin
#   getVal : manager, viewer
#   
# The system looks for required roles using the following process:
# The most specific configuration file/pid is tried first. E.g. in the
# above example the jmx.acl.foo.bar.Test.cfg is looked at first. In this
# configuration, the system looks for a:
#   1. Specific match for the current invocation, e.g. test(int)["17"] : role1
#   2. Reg exp match for the current invocation, e.g. test(int)[/[0-9]/] : role2
#   In both cases the passed argument is converted to a String for the
# comparison.
#   If any of the above match all the roles with matching definitions
# are collected and allowed. If no matches are found the following is tried:
#   3. Signature match for the invocation, e.g. test(int) : role3. If
# matched the associated roles are used.
#   4. Method name match for the invocation, e.g. test : role4. If matched
# the associated roles are used.
#   5. A method name wildcard match, e.g. te* : role5. For all the
# wildcard matches found in the current configuration file, the roles
# associated with the longest match are used. So if you have te* and * and
# the method invoked is 'test', then the roles defined with te* are used,
# not the ones defined with *.
# If no matching definition is found in the current configuration file, a 
# more general configuration file is looked for. So jmx.acl.foo.bar.cfg is 
# tried next, this matches the domain of the MBean. If there is no match 
# found in the domain the most generic configuration file is consulted
# (jmx.acl.cfg).
# If a matching definition is found, this is used and the process will not
# look for any other matching definitions. So the most specific definition
# always takes precedence.
#
list* = viewer
get* = viewer
is* = viewer
set* = admin
* = admin